Singleton files often represent a large portion of the files encountered by security software vendors. In this context, a singleton may refer to a file that exists exclusively on a single computing device. Many targeted computing threats exist as singleton files. Unfortunately, since singletons are found only on a single computing device, traditional computer security technologies may have difficulty identifying those singletons that are suspicious and/or malicious.
As an example, a security software vendor may be tasked with protecting its customer base from computing threats. Over the course of a year, the security software vendor may encounter 10 billion files in its security efforts. In this example, 9 billion of those files may represent singletons (or at least appear as such to the security software vendor). Unfortunately, many of the security software vendor's threat-detection techniques may be ineffective at identifying which of those 9 billion singletons are malicious. For example, malicious singletons may fail to match any of the security software vendor's virus signatures due to the singletons' unique file hashes. Additionally or alternatively, the security software vendor's reputation service may be unable to determine the reputation of malicious singletons due to a lack of telemetry data.
The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for identifying suspicious singleton files using correlational predictors.